Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Changing Antivirus with quarantined items on PC?


  • Please log in to reply
14 replies to this topic

#1 Dream1

Dream1

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Local time:05:09 PM

Posted 07 May 2013 - 06:50 PM

Someone I know is using some type of Mcafee antivirus program, they have quarantined viruses/malware that I don't think have been deleted. They want to switch to Norton Internet Security.

 

1) What will happen to the quarantined viruses and malware if Mcafee is uninstalled and Norton is installed? I am afraid to delete any of the quarantined items because of their locations, such as some being located on the D drive, which is the recovery drive.

 

2) Will the computer become infected by the viruses/malware if we attempt the switch?



BC AdBot (Login to Remove)

 


#2 TwinHeadedEagle

TwinHeadedEagle

  • Security Colleague
  • 350 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:11:09 PM

Posted 07 May 2013 - 11:54 PM

1. They are just files, when uninstalling, check option if possible to remove configuration data and quarantined files...

 

2. No, quarantined files are encrypted or original extension is changed, so they are useless in current state



#3 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:09 AM

Posted 08 May 2013 - 12:00 AM

Hi -

You should be able to Delete any / all infections that are quarantined without problems - Basically what the Eagle said above :thumbup2:

 

You should always download the new Antivirus to desktop and install from there. This is the 100% safe way.

Because this way you can be off-line while you un / re-install any Antivirus programs -

 

Thank You -



#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,665 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:09 AM

Posted 08 May 2013 - 03:50 AM

2) Will the computer become infected by the viruses/malware if we attempt the switch?

 

No, McAfee uses a propriatary file format (which has been reverse engineered) to contain quarantined samples.

These files can not infect your machine, even if you would try to open them.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:09 PM

Posted 08 May 2013 - 12:41 PM

Let me add to what has already been stated in case you do not fully understand the Quarantine process.

When an anti-virus or security program quarantines a file and moves it into a virus vault (chest) or a dedicated Quarantine folder, that file is safely held there and no longer a threat. The file is essentially disabled and prevented from causing any harm to your system through proprietary security routines which may copy, rename, encrypt and password protect the file as part of the moving process. Quarantine is just an added safety measure which allows you to view and investigate the files while keeping them from harming your computer.

One reason for doing this is to prevent deletion of a legitimate file file that may have been flagged as a "false positive" especially if the scanner uses heuristic analysis technology. Heuristics is the ability of a scanning program to detect possible new variants of malware before the vendor can get samples and update the program's definitions for detection. Heuristics uses non-specific detection methods to find new or unknown malware which allows the anti-virus to detect and stop if before doing any harm to your system. The disadvantage to using heuristics is that it is not as reliable as signature-based detection (blacklisting) and can potentially increase the chances that a non-malicious program is flagged as suspicious or infected. If that is the case, then you can submit a sample to the security vendor, restore the file and add it to the exclusion or ignore list. When the quarantined file is known to be malicious, you can delete it at any time by launching the program which removed it, going to the Quarantine tab, and choosing the option to delete.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Dream1

Dream1
  • Topic Starter

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Local time:05:09 PM

Posted 08 May 2013 - 02:35 PM

1. They are just files, when uninstalling, check option if possible to remove configuration data and quarantined files...

 

2. No, quarantined files are encrypted or original extension is changed, so they are useless in current state

I do not want to delete the quarantined items because they're important files, including files on the recovery drive. I previously read that you can delete quarantined only if you do not need the files for any reason. I cannot do any submission of samples to security vendor. So if I don't delete any quarantined items, uninstall Mcafee, and install Norton; I won't be at risk of getting infected by those quarantined items?



#7 TwinHeadedEagle

TwinHeadedEagle

  • Security Colleague
  • 350 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:11:09 PM

Posted 08 May 2013 - 03:15 PM

You can be sure...

#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,665 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:09 AM

Posted 08 May 2013 - 05:51 PM

 

1. They are just files, when uninstalling, check option if possible to remove configuration data and quarantined files...

 

2. No, quarantined files are encrypted or original extension is changed, so they are useless in current state

I do not want to delete the quarantined items because they're important files, including files on the recovery drive. I previously read that you can delete quarantined only if you do not need the files for any reason. I cannot do any submission of samples to security vendor. So if I don't delete any quarantined items, uninstall Mcafee, and install Norton; I won't be at risk of getting infected by those quarantined items?

 

 

Can you explain why these quarantined files are important to you? You do realize that when you uninstall McAfee, you won't be able anymore to take these files out of quarantine? (Unless you use some special, unsupported tools which offer no garantee of succes).


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 Dream1

Dream1
  • Topic Starter

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Local time:05:09 PM

Posted 08 May 2013 - 10:11 PM

 

 

1. They are just files, when uninstalling, check option if possible to remove configuration data and quarantined files...

 

2. No, quarantined files are encrypted or original extension is changed, so they are useless in current state

I do not want to delete the quarantined items because they're important files, including files on the recovery drive. I previously read that you can delete quarantined only if you do not need the files for any reason. I cannot do any submission of samples to security vendor. So if I don't delete any quarantined items, uninstall Mcafee, and install Norton; I won't be at risk of getting infected by those quarantined items?

 

 

Can you explain why these quarantined files are important to you? You do realize that when you uninstall McAfee, you won't be able anymore to take these files out of quarantine? (Unless you use some special, unsupported tools which offer no garantee of succes).

 

It's not my computer. It's got lots of very important files that are not backed up, and if I back them up the person is not going to maintain them so backing them up may create even larger future problems. I should probably back them up regardless though. If I do anything to mess up the computer in any way I will be treated like bleep.

 

The quarantined items include recovery files (so afraid recovery would not work right/work at all if they ever ended up needing to recover, which they very well may since they have so many viruses/malware). I think the quarantined also includes system files for the computer (forget if they were C: system files or recovery system files). What I read is that if you delete quarantined files, they're gone, and whatever used those files is now without those files, so whatever needed them won't run correctly if it runs at all.

 

I don't know whether or not I ever would need to take the files out of quarantine. The person has many many quarantined files. They're overpaying for Mcafee and I wanted them to try Norton since I have an extra Norton account available. I was hoping maybe their computer would not run so dreadfully slow if they tried Norton. Their computer used to be ok the first 6-12 months, then got super slow, while all the computers using Norton are fine.

 

You can be sure...

Ok. I asked again because I wasn't sure if you meant quarantined files don't risk infection only if they had been deleted when uninstalling the antivirus.


Edited by Dream1, 08 May 2013 - 10:14 PM.


#10 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,665 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:09 AM

Posted 12 May 2013 - 10:33 AM

The quarantined items include recovery files (so afraid recovery would not work right/work at all if they ever ended up needing to recover, which they very well may since they have so many viruses/malware). I think the quarantined also includes system files for the computer (forget if they were C: system files or recovery system files). What I read is that if you delete quarantined files, they're gone, and whatever used those files is now without those files, so whatever needed them won't run correctly if it runs at all.

 

 

Maybe you misunderstand what a quarantined file is. Say file c:\windows\system32\driver.sys is infected and that your AV detects and quarantines it. To quarantine this infection, it will remove file c:\windows\system32\driver.sys, encode it, and store it in c:\quarantined, for example like c:\quarantined\000001

 

So even if the file is important for Windows, it can't be used anymore once it is quarantined.

 

Anyways, you should make a backup before you make any change.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#11 Dream1

Dream1
  • Topic Starter

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Local time:05:09 PM

Posted 13 May 2013 - 03:06 PM

 

The quarantined items include recovery files (so afraid recovery would not work right/work at all if they ever ended up needing to recover, which they very well may since they have so many viruses/malware). I think the quarantined also includes system files for the computer (forget if they were C: system files or recovery system files). What I read is that if you delete quarantined files, they're gone, and whatever used those files is now without those files, so whatever needed them won't run correctly if it runs at all.

 

 

Maybe you misunderstand what a quarantined file is. Say file c:\windows\system32\driver.sys is infected and that your AV detects and quarantines it. To quarantine this infection, it will remove file c:\windows\system32\driver.sys, encode it, and store it in c:\quarantined, for example like c:\quarantined\000001

 

So even if the file is important for Windows, it can't be used anymore once it is quarantined.

 

Anyways, you should make a backup before you make any change.

 

If I need the file to run recovery I will have to take it out of quarantine, so if I delete it I cannot recover. What happens to the quarantined files if I do not delete them?



#12 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,665 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:09 AM

Posted 13 May 2013 - 05:03 PM

If I need the file to run recovery I will have to take it out of quarantine, so if I delete it I cannot recover. What happens to the quarantined files if I do not delete them?

 

 

What I wrote before: if you uninstall McAfee, you won't be able to take them out of quarantine.

And when a file is in quarantine, it is most likely infected. So you should not use it for recovery, or you will reinfect the PC.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#13 Dream1

Dream1
  • Topic Starter

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Local time:05:09 PM

Posted 18 May 2013 - 07:08 PM

 

If I need the file to run recovery I will have to take it out of quarantine, so if I delete it I cannot recover. What happens to the quarantined files if I do not delete them?

 

 

What I wrote before: if you uninstall McAfee, you won't be able to take them out of quarantine.

And when a file is in quarantine, it is most likely infected. So you should not use it for recovery, or you will reinfect the PC.

 

If I have to recover the computer will recover not work or will recover infect the computer, while the item is in quarantine?



#14 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,665 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:09 AM

Posted 19 May 2013 - 01:10 PM

If I have to recover the computer will recover not work or will recover infect the computer, while the item is in quarantine?

 

 

No, recovering will not infect the computer. And I can't tell if recover will work or not.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#15 dicke

dicke

    Paraclete


  • Members
  • 2,189 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Charlotte, NC
  • Local time:06:09 PM

Posted 20 May 2013 - 08:25 AM

Someone I know is using some type of Mcafee antivirus program, they have quarantined viruses/malware that I don't think have been deleted. They want to switch to Norton Internet Security.

 

1) What will happen to the quarantined viruses and malware if Mcafee is uninstalled and Norton is installed? I am afraid to delete any of the quarantined items because of their locations, such as some being located on the D drive, which is the recovery drive.

 

2) Will the computer become infected by the viruses/malware if we attempt the switch?

 

One more item to add to the check list.

Please run the McAfee removal tools before you try to install any Norton product. They do the same thing, tend to occupy the same places and leave trash when only the control panel uninstall is used

Stay well and surf safe


Stay well and surf safe [stay protected]

Dick E





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users